How to Install Shibboleth SSO on Ubuntu 20.04 (Tutorial)
In this guide we explain How to Install Shibboleth SSO on Ubuntu 20.04.
What is Shibboleth Server?
Shibboleth is a single sign on and log in solution for computer networks and the Internet. It allows you to single sign in using just one identity to various systems run by federations of different organizations or institutions.
Shibboleth is a web based Single Sign On infrastructure. It is based on SAML, a standard for the exchange of authentication data.
Shibboleth leverages Active Directory, LDAP, Kerberos and extends to authentication for Users to the Cloud Apps.
It is one of the most widely used identity management software in the world. It was adopted by academic institutions, identity federations, and commercial organizations all over the world.
This post takes us through how to install Shibboleth SSO on Ubuntu 20.04.When installing Shibboleth we will have Apache Tomcat Web Server is installed.
How to Install Shibboleth SSO on Ubuntu 20.04
Install Java JDK
Shibboleth runs on Java so you will need to install the Java JDK on your server. You can install it using the following command:
apt-get install default-jdk -y
Once the Java is installed, verify the Java installation using the following command:
java --version
You will get the following output:
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
Install Apache Tomcat
Shibboleth can be deployed using a WAR file on the Tomcat instance. So you will need to install the Tomcat on your server.
First, create a dedicated user for Tomcat using the following command:
useradd -r -m -U -d /opt/tomcat -s /bin/false tomcat
Next, download the latest version of Tomcat with the following command:
wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.55/bin/apache-tomcat-9.0.55.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf apache-tomcat-9.0.55.tar.gz
Next, move the extracted directory to /opt with the following command:
mv apache-tomcat-9.0.55 /opt/tomcat
Next, set proper ownership and permission to the /opt/tomcat directory:
chown -RH tomcat: /opt/tomcat
sh -c 'chmod +x /opt/tomcat/bin/*.sh'
Create a Systemd Service File for Tomcat
Next, you will need to create a systemd service file to manage the Tomcat service. You can create it with the following command:
nano /etc/systemd/system/tomcat.service
Add the following lines:
[Unit]
Description=Tomcat 9 servlet container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/default-java"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
Save and close the file then reload the systemd daemon with the following command:
systemctl daemon-reload
Next, start the Tomcat service and enable it to start at system reboot:
systemctl start tomcat
systemctl enable tomcat
You can verify the Tomcat status using the following command:
systemctl status tomcat
You will get the following output:
● tomcat.service - Tomcat 9 servlet container
Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-16 10:56:34 UTC; 9min ago
Main PID: 5156 (java)
Tasks: 41 (limit: 4691)
Memory: 682.6M
CGroup: /system.slice/tomcat.service
└─5156 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.loggin>
Nov 16 10:56:34 ubuntu systemd[1]: Starting Tomcat 9 servlet container...
Nov 16 10:56:34 ubuntu startup.sh[5136]: Tomcat started.
Nov 16 10:56:34 ubuntu systemd[1]: Started Tomcat 9 servlet container.
Configure Tomcat Web Management Interface
Next part of our guide how to Install Shibboleth SSO on Ubuntu 20.04 we will need to create an admin user to access the Tomcat web interface. You can do it by editing tomcat-users.xml file:
nano /opt/tomcat/conf/tomcat-users.xml
Add the following lines above the line </tomcat-users>:
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="admin" password="password" roles="admin-gui,manager-gui"/>
Save and close the file when you are finished.
By default, the Tomcat web interface is configured to access the Manager and Host Manager apps only from the localhost. So you will need to enable access to the web interface from the remote machine.
For the Manager app, edit the following file:
nano /opt/tomcat/webapps/manager/META-INF/context.xml
Remove the following lines:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
For the Host Manager app, edit the following file:
nano /opt/tomcat/webapps/host-manager/META-INF/context.xml
Remove the following lines:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
Save and close the file then restart the Tomcat to apply the changes:
systemctl restart tomcat
Install Shibboleth SSO
Now, you will need to download the latest version of Shibboleth SSO from their official website.
wget https://shibboleth.net/downloads/identity-provider/4.1.4/shibboleth-identity-provider-4.1.4.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf shibboleth-identity-provider-4.1.4.tar.gz
Next, change the directory to the extracted directory and install the Shibboleth with the following command:
cd shibboleth-identity-provider-4.1.4/bin
./install.sh
Answer all questions as shown below to finish the installation:
Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.1.4] ?
Installation Directory: [/opt/shibboleth-idp] ?
INFO [net.shibboleth.idp.installer.V4Install:158] - New Install. Version: 4.1.4
Host Name: [ubuntu] ?
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-signing, CN = ubuntu URI = https://ubuntu/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-encryption, CN = ubuntu URI = https://ubuntu/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password:
Re-enter password:
INFO [net.shibboleth.idp.installer.V4Install:644] - Creating backchannel keystore, CN = ubuntu URI = https://ubuntu/idp/shibboleth, keySize=3072
Cookie Encryption Key Password:
Re-enter password:
INFO [net.shibboleth.idp.installer.V4Install:685] - Creating backchannel keystore, CN = ubuntu URI = https://ubuntu/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://ubuntu/idp/shibboleth] ?
Attribute Scope: [localdomain] ?
INFO [net.shibboleth.idp.installer.V4Install:474] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.4
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war
BUILD SUCCESSFUL
Total time: 48 seconds
Next, change the ownership of the /opt/shibboleth-idp directory to Tomcat:
chown -R tomcat /opt/shibboleth-idp
Deploy Shibboleth WAR File
Next part of our guide how to Install Shibboleth SSO on Ubuntu 20.04 we will need to deploy the war file from “/opt/shibboleth-idp/war/idp.war” into Tomcat using the Tomcat manager app.
First, open your web browser and access the Tomcat using the URL http://your-server-ip:8080. You should see the following screen:
Now, click on the Manager App. You should see the authentication page:
Provide your admin username, password and click on the Sign in button. You should see the following page:
Now, scroll down and type “/opt/shibboleth-idp/war/idp.war” inside the WAR or Directory path and click on the Deploy button to deploy the WAR file. You should see the following page.
Allow Remote Access to Shibboleth IDP
Next, you will also need to edit the access-control.xml file and enable remote access to Shibboleth IDP:
nano /opt/shibboleth-idp/conf/access-control.xml
Add “0.0.0.0/0” to allow anyone to access the Shibboleth as shown below:
<util:map id="shibboleth.AccessControlPolicies">
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '0.0.0.0/0', '::1/128'} }" />
</entry>
Save and close the file when you are finished. Then, restart the Tomcat service to apply the changes:
systemctl restart tomcat
Now, open your web browser and access the Shibboleth status page using the URL http://your-server-ip:8080/idp/status. If everything is fine, you should see the following page:
Configure HTTPS for Shibboleth SSO
It is recommended to enable HTTPS for Shibboleth SSO. To do so, first install the Apache package with the following command:
apt-get install apache2 -y
Next, create a directory to store the SSL certificate:
mkdir /etc/apache2/ssl
Next, generate a self signed SSL certificate using the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/idp.key -out /etc/apache2/ssl/idp.crt
Answer all the questions as shown below:
Generating a RSA private key
...............................+++++
.....................+++++
writing new private key to 'https://net.cloudinfrastructureservices.co.uk/etc/apache2/ssl/idp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:GJ
Locality Name (eg, city) []:JND
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:SERVER
Email Address []:admin@example.com
Next, create an SSL params file with the following command:
nano /etc/apache2/conf-available/ssl-params.conf
Add the following lines:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off
Save and close the file then create an Apache virtual host configuration file to host Shibboleth SSO with HTTPS:
nano /etc/apache2/sites-available/idp.example.com.conf
Add the following lines:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName idp.example.com
ServerAdmin admin@example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/idp.crt
SSLCertificateKeyFile /etc/apache2/ssl/idp.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
Save and close the file then enable the required Apache modules and activate the Apache virtual host with the following commands:
a2enmod proxy_http proxy ssl headers
a2ensite idp.example.com
Finally, restart the Apache service to apply the changes:
systemctl restart apache2
Now, you can access the Shibboleth site securely using the URL https://idp.example.com.
How to Install Shibboleth SSO on Ubuntu 20.04 Conclusion
In the above post, we explained how to install Shibboleth SSO with Tomcat on Ubuntu 20.04. We also explained how to secure the Shibboleth website with self signed SSL. I hope you can now easily deploy Shibboleth SSO in your organization.
